Command & Control, Malware, & Beaconing

Jan Sun, 2019

What to Know

Day to day, your Security Analysts monitor many panes of glass, react to possible threats, and study attack vectors. One alert or potential attack we’re sure they’ve come across is the command and control server and the associated beaconing attempts.

It’s crucial that an organization understands command and control (C&C, C2), and malware beaconing activities, to accurately detect and mitigate them. Malware beaconing involves the sending of short and routine communications from an infected machine (heartbeat or timed beacon) to the attacker, or C&C server, signaling that the infected computer is now available and listening for further instructions. This signal can also be the exfiltration of data from the infected machine and your environment!

Receiving an alert of beaconing traffic on your network is an excellent indication that there is a compromised host or server in your environment, which requires validation and analysis. Once a node has been infected, the malware will call out to its C&C server, passing along the hosts environmental details, and waiting for additional code (like a rootkit), or other instructions. There is always a concern an infected node will be made a part of a botnet, and there’s the chance the infection allows the attacker to pivot and spread throughout the network.

Beacon Detection

Beacon detection is not always easy, as they remain “under-the-radar”, moving low and slow, dependent on receiving the C&C server’s instructions, and on the malware authors purpose. Additionally, to complicate matters, bad actors can code malware beacons to make their connections (tunnel) using ports that are already open such as http/80, https/443, and DNS/53. This assists in their hidden nature, as the communication become lost amidst the network noise.

A popular C&C communication trend is for C&C communications to use public DNS servers rather than those within the environment – avoiding detection. It’s essential that organizations take beaconing traffic – and their detection by security tools – seriously as beaconing indicates malware. It’s paramount that mitigation is conducted prior to an infected machine’s damage to the environment, and preferably before it can download additional tools and instructions from the attacker’s C&C server or master controller.

Security Analysts can detect and respond to the beaconing activities by reviewing packet captures (PCAP), signatures, triggered rules, and researching and resolving destination IP addresses. Concerns abound that modern malware is becoming weaponized and sophisticated enough to recognize signature-based antivirus, antimalware, and endpoint detection software used by most organizations.

Bad actors and malware coders understand how typical malware scanners function and design their attacks, and beaconing communications accordingly. Packages designed to act stealthily and remain hidden aren’t often the cause of detection, it’s the URL or IP address. C&C malware will typically have many FQDNs and IPs that will begin to communicate automatically and iteratively upon successful infection.

Network Intrusion Devices

Outbound traffic to the intermediate or C&C servers can be detected at times by an enterprise grade antivirus, along with a next generation firewall or IDS/IPS due to the signatures and behaviors, but not always. Network intrusion devices can recognize patterns, anomalies, and Security Analysts may recognize those having predictable packet sizes or beaconing intervals. Often, the initial malware size is kept small until data exfiltration begins! Beaconing intervals and communication can be random or predictable (every 10 sec, etc.) and be triggered by the infected machine, user, unpatched vulnerabilities or open ports.

Network intrusion devices utilize pattern matching, malware URL paths, and IPs for detection. Malware that employs C&C and beaconing such as GhostNet may involve more than one component, and more than one stage. GhostNet utilized two malware components in two different stages.

First stage: included the infection or dropping of the malicious payload (document, opened by the user); and

Second stage: starting the C&C connection over http/80.

It is essential to remediate malware that’s attempting to utilize C&C communication outside of your organization, and its beaconing before the establishment of a shadow network within your enterprise infrastructure. In addition to adding more C&C protection and detection, you should ask what the network indicators of beaconing malware and C&C are, and within regular network traffic patterns, can you recognize and isolate beaconing in instances such as extended sessions, which don’t contain regular web browsing activity, headers, and meta-data.

For more information on command & control, malware, and beaconing, contact our security professionals at contactus@secuvant.com or 855-732-8826.